The developers of the Redox operating system unveiled recently that they have introduced the new package manager pkgar, which will be used within the system.
For those who do not know about Redox which it's an operating system which Its main focus is that its development is using the Rust language and the concept of microkernel where only kernel level interaction between processes and resource management is provided and all other functionality is carried over to libraries that can be used by both the kernel and user agents.
As part of the project, a new package format is being developed, a library with package management functions and a command line tool to create and extract a collection of cryptographically verified files.
The pkgar format is not intended to be universal and it is optimized taking into account the specifics of the Redox OS operating system.
The package manager supports source verification by digital signature and integrity check. Checksums are calculated using the blake3 hash function. The check functionality of pkgar can be accessed without actually saving the package file, manipulating only the header part.
En particular, the package consists of a header file (.pkgar_head) and a data file (.pkgar_data). A properly signed full digest package (.pkgar) can be obtained simply by attaching the header file to the data file.
The header file contains separate checksums for the header and parameterized structures of the data file, as well as a digital signature to verify the packet.
The data file includes a sequential list of all supplied files and directories in the package. Before each data element there is a structure with metadata, which includes a checksum for the data itself, the size, the access rights, the relative path of the file to install and the offset of the parameters of the next data element .
If during the update process the individual files have not changed and the checksum matches, then they are skipped and not downloaded.
The integrity of the source can be verified by getting only the header file and the correctness of the selected data file by loading only the structures with the parameters from this file and making sure they match the checksum checked in the header file.
Directly, the data itself can be verified after downloading it, using the checksum of the structure with the parameters that precede the data.
Initially, packages imply the possibility of repeatable assembly, which implies that creating a package for a specific directory always leads to the formation of an identical package. After installation, only the metadata is saved on the system, which is enough to rebuild the package from the installed data (package composition, checksums, paths, and access rights are available in the metadata).
The main objectives of pkgar:
- Atomic: updates apply whenever possible automatically.
- Traffic saving: data is transmitted over the network only when the hash changes (only updated files are downloaded during the update).
- High-performance fast cryptographic algorithms are involved (blake3 supports parallelization of data processing when calculating a hash). If the repository data has not been previously cached, a hash can be calculated for the downloaded data at boot time.
- Minimalism: Unlike other formats, pkgar includes only the metadata necessary to extract the package.
- Installation directory independence: Any user can install the package in any directory (the user must have the right to write to the selected directory).
- Safety: packets are always cryptographically verified and verification is done before actual packet operations are performed (header is loaded first, and if digital signature is correct, data is transferred to temporary directory, which is moved to directory destination after verification).